Password Best Practices and Standards


Protect Your Password

Your University Computing Account username and password are your key to accessing a wide range of resources at Pitt. For faculty and staff, these resources include sensitive information such as your Pitt Worx pay statements, benefits open enrollment, TIAA-CREF retirement account details, and UPMC health plan information. In addition, your University Computing Account has access to other data that is regulated by the Family Educational Rights and Privacy Act (FERPA) and Gramm-Leach-Bliley (GLB) ActYou should never share your password with anyone, for any reason. By protecting your password, you also protect the important resources and data to which your password grants you access.



Pitt Information Technology uses a robust array of sophisticated security tools to protect University information. However, everyone affiliated with Pitt shares in the critical responsibility of protecting the University’s computing environment. It is against University policy 10-02-05University policy 10-02-06, and security best practices to share your username and password with anyone. If you need to delegate responsibility for password-protected functions to another person, please call the Technology Help Desk at 412-624-HELP (4357) to request assistance. Most of our enterprise services support this type of delegation. 

Keep in mind these important password tips: 

  • Create a strong password that combines eight to 14 letters, numbers, and special characters – in general, the longer the better!
  • Be sure to log out when you have finished using the My Pitt website or other computing resources that require you to log in with your password. It is also recommended that you close all browser windows and completely exit your web browser program when you have finished using the service.
  • Change your password regularly. Students, faculty, and staff are required to change their University Computing Account password at least every 180 days.
  • Remember that no one from any reputable organization, including the University of Pittsburgh, will ever ask you to divulge your password over the phone or in an email. If you are asked for your password in an email or over the phone, this is usually a sure sign of a phishing scam.
  • Scan your computer regularly with Antivirus and Anti-Malware (Malwarebytes) since some viruses and spyware programs can collect and transmit your account information. Learn more... 
  • If you have not already done so, set your Password Security Questions at the Accounts Self-Service page.

The following table illustrates the time it would take a hacker to brute-force crack your password for different types of characters as well as character count:

Time It Takes A Hacker To Brute Force Your Password

Number of Characters Numbers Only Lowercase Letters Upper and Lowercase Letters Numbers, Upper and Lowercase Letters Numbers, Upper and Lowercase Letters, Symbols
4 Instantly Instantly Instantly Instantly Instantly
5 Instantly Instantly Instantly Instantly Instantly
6 Instantly Instantly Instantly 1 sec 5 secs
7 Instantly Instantly 25 secs 1 min 6 mins
8 Instantly 5 secs 22 mins 1 hour 8 hours
9 Instantly 2 mins 19 hours 3 days 3 weeks
10 Instantly 58 min 1 month 7 months 5 years
11 2 secs 1 day 5 years 41 years 400 years
12 25 secs 3 weeks 300 years 2k years 34k years
13 4 mins 1 year 16k years 100k years 2m years
14 41 mins 51 years 800k years 9m years 200m years
15 6 hours 1k years 43m years 600m years 15bn years
16 2 days 34k years 2bn years 37bn years 1tn years
17 4 weeks 800k years 100bn years 2tn years 93tn years
18 9 months 23m years 6tn years 100tn years 7qd years
View the original image from which this table was created at Hive Systems.      Data sourced from


Additional Password Information

All University students, faculty, and staff are required to change their University Computing Account password twice per year via the Accounts Self-Service page.

This important requirement enhances security and helps protect your data. It is one part of a larger, layered security strategy. Multiple security measures protect against hackers, phishing scams, malicious software, and myriad other threats to the University's computing environment.

Here is how the process works. You will be required to change your University Computing Account password at least once every 180 days. As you approach the 180 day limit for your current password, you will see Password Update and Security Questions windows. They will appear each time you log in to My Pitt, indicating how many days you have remaining to change your password. This information must be updated as requested by following the instructions on each page, or you could potentially be unable to access select services until this information is complete. The password cannot be re-used within a year, and you cannot reuse any of your previous six passwords.

Related Information

Additional Instructions

Frequently Asked Questions
Setting Your Security Questions
Reset Your Password if You Forget It
Important Notes about Resetting Your Password
Resetting Passwords for Sponsored Accounts



Article ID: 36
Thu 7/13/23 4:26 PM
Tue 2/13/24 3:38 PM

Related Services / Offerings (1)

SECURITY CONSULTING AND EDUCATION KnowBe4 provides security awareness resources to train, promote and reinforce information security best practices.